General Client Configuration Recomendations

In general, citadel offers all of the common mail protocols. But, with some assumptions that ease the admins and the programmers life and makes the system more fool proof. You should read this carefully before integrating Citadel in your network and firewall concepts. Citadel just offers plain auth, so if you're connecting via the internet be sure to have done StartTLS or have a SSL conenction.

What is StartTLS/SSL?

Both of them do encryption. StartTLS starts plain text communication, and afer some conversation the client issues a StartTLS command, that initiates the encryption. SSL is just wrapping encryption around the base protocol, you could use the plain text protocol port, and wrap stunnel in front of it to achieve allmost the same result.

What do you mean by Relaying vs. Local delivery?

Local delivery refers to mail whose final recipient is a user on your Citadel system. Relaying refers to the delivery of a message via your Citadel system to some remote recipient. Citadel is not a general-purpose MTA -- which is to say, any email flowing through your server must either originate or terminate there. This makes it impossible to accidentally configure Citadel as an open relay.

SMTP

SMTP is the Internet protocol for delivery of mail. Citadel speaks this protocol on five different ports:

• TCP port 25 (SMTP) - inbound email for your users will arrive on this port. It supports optional encryption using STARTTLS and also accepts user authentication. Citadel will only accept outbound mail on this port if it is submitted by an authenticated user, otherwise all incoming email must be addressed to a user on the local system, or it will be rejected.
• TCP port 465 (SMTPS) - this port behaves the same as port 25, except that SSL negotiation must take place immediately upon connection.
• TCP port 587 (SMTP-MSA) - this port behaves the same as port 587, except only authenticated connections are permitted. End user email software running on desktops or phones should use this port for submitting mail into the system.
• Unix domain socket lmtp.socket - this port speaks the LMTP dialect of SMTP. It is used when you have a third-party MTA receiving mail for the system, and it provides a way for that MTA to deposit mail into the Citadel system.
• Unix domain socket lmtp-unfiltered.socket - this is the same as lmtp.socket except that all anti-spam and anti-virus filtering is disabled. This is useful if you perform those functions elsewhere.

POP3

POP3 does not understand the concept of folders, so this protocol will only provide access to your inbox. Citadel offers this protocol on two ports:

• TCP port 110 (POP3) - this port provides the standard POP3 service, and offers STARTTLS encryption.
• TCP port 995 (POP3S) - this port provides the same service as port 110, except that SSL negotiation must take place immediately upon connection.

IMAP

IMAP is the standard protocol for accessing email servers using client software. The protocol handles all folders and more advanced operations. Citadel offers this protocol on two ports:

• TCP port 143 (IMAP) - this port provides the standard IMAP4 service, and offers STARTTLS encryption.
• TCP port 993 (POP3S) - this port provides the same service as port 143, except that SSL negotiation must take place immediately upon connection.

Binding a service to more than one port

As noted above, Citadel offers several SMTP services, and separate ports for the SSL enabled versions of several protocols. Thus it is not possible to bind several ports with one service. However, if you want to make the same service available on multiple ports, your operating system can usually do this for you. For example, if you are running Citadel on port 25, here is a way to get Linux to also listen on port 2525 and redirect connections to port 25:

/sbin/iptables -t nat -I PREROUTING -p tcp --dport 2525 -j REDIRECT --to-port 25

This would be used if, for example, your ISP blocks port 25 and you have arranged to have your inbound email relayed to your server on an alternate port.